Digital Identity

Digital Identity is a good introduction to identity management architectures and the world of federated identity.

Many people who review their credit report for the first time are shocked to learn how many identities are linked to them. Even when there is no problem of identity theft, it is not uncommon for people to have 10 or more names linked to their credit reports due to various errors, including permutation of their name.

Just as it is difficult to maintain and manage identities in the real world, it is difficult to maintain and manage digital identities. As the digital economy is becoming more ubiquitous, the need for a single federated identity is becoming more critical. In Digital Identity, Phillip Windley details the steps needed to develop an identity management architecture (IMA).

Identity management has become a pressing need in the past few years. This has come about because networks and systems are no longer geared around a single infrastructure, and businesses have become increasingly virtual and decentralized. In previous years, there were simply internal users. Today, systems have internal users, along with external users such as consultants, contractors, third-parties, customers, collaborators, and many more. Such requirements necessitate a well-designed and planned IMA.

So what is this thing called IMA? Windley defines an IMA as the coherent, enterprise-wide set of standards, policies, certifications, and management activities that enable an organization to effectively manage digital identities.

IMA is also known as federated identity. The book notes that the real challenge in developing a federated identity infrastructure is dealing with the various different hardware and software platforms where user accounts reside, and working with different organizations and departments, including the ever-increasing amount of outsourcing. When all of that is put together, a single federated identity is not easy to come by if there is not an IMA in place.

The beauty of an IMA is that it allows an organization to securely link and exchange identity information across partner, supplier, and customer organizations, while having a single architecture. This makes identity management seamless.

The first 11 chapters of Digital Identity do a good job of introducing the underlying concepts of an IMA, including security, trust, authentication, access control, and names and directories. Without an effective security infrastructure in place, any IMA deployed will not be fully effective.

One oddity, though, is that in Chapter 6, the author defines cryptography as the science of making the cost of discovery of hidden information greater than the value of the information itself. This is the author's own characterization of cryptography and while interesting, is not how it is used in mainstream security.

Chapter 12 starts to get into the internals of federated identities. This and the rest of the chapters do not deal with the deep technical details of an IMA, rather it shows how to design and deploy the IMA in a context of a corporate environment under a single set of policies and procedures. Windley emphasizes that an IMA is not so much a technical issue, but rather a business issue that must be deployed in a business context.

This idea of a business context is manifest in Chapter 18, which deals with identity policies. The book creates what it calls an IMA policy stack, which is the interoperability framework for the IMA. The stack includes all of the elements necessary for the IMA, and comprises an identity management architecture, framework, and set of standards. The standards include all protocols and applications, from SSL, XML, LDAP, DNS, and much more. The framework includes policy issues such as naming, passwords, encryption, provisioning, and more. Finally, the architecture details the specific high-level controls (procurement, contracts, licensing, etc.) around the IMA.

The book itself is worth it solely for the information in this chapter. Anyone attempting to deploy an IMA without first getting a handle on the issues details in Chapter 18 will find that their IMA will likely be seriously deficient.

The only negatives to the book are a few too many editing mistakes that should have been caught during the editing process. Also, the author frequently discusses his own trials and tribulations of using an IMA during his short stint as CIO of the State of Utah and with previous employers. Depending on the readers' specific tastes, some my find the heavy use of the first-person anecdotes to be a negative.

Overall, Digital Identity provides the reader with a good introduction to the various areas necessary to develop a productive identity management infrastructure. Anyone planning to deploy an IMA or any sort of federated identity solution in a corporate environment will find Digital Identity a valuable reference.